feat: implement coarse versioning in go#5225
Open
michaelkedar wants to merge 2 commits intogoogle:masterfrom
Hidden character warning
The head ref may contain hidden characters: "\ud83c\udfdc\ufe0f\ud83c\udfde\ufe0f"
Open
feat: implement coarse versioning in go#5225michaelkedar wants to merge 2 commits intogoogle:masterfrom
michaelkedar wants to merge 2 commits intogoogle:masterfrom
Conversation
another-rex
approved these changes
Apr 22, 2026
Contributor
another-rex
left a comment
another-rex
left a comment
There was a problem hiding this comment.
Looks good! Just some minor questions.
| } | ||
|
|
||
| func (e apkEcosystem) Coarse(_ string) (string, error) { | ||
| // TODO(michaelkedar): semantic.AlpineVersion currently breaks transitivity rules |
Contributor
There was a problem hiding this comment.
What happens if coarse is not supported when querying at the moment? Is it just everything for a specific package has to be loaded into memory?
| ) | ||
|
|
||
| func TestCoarseMonotonicityLarge(t *testing.T) { | ||
| if os.Getenv("RUN_COARSE_LARGE_TEST") != "1" { |
Contributor
There was a problem hiding this comment.
Can you document this env somewhere.
Also ideally add this to the Makefile as a help option similar to osv-scanner, though I think that can wait till we moved everything over to go.
| EmptyAs *string // If not nil, treats empty parts as the given string instead of removing them. If nil, removes them. | ||
| } | ||
|
|
||
| var implicitRegex = regexp.MustCompile(`\d+|\D+`) |
Contributor
There was a problem hiding this comment.
what does implicit mean here...?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-implements the
EE:XXXXXXXX.YYYYYYYY.ZZZZZZZZcomparable version string generation in Go from Python.The implementations are mostly the same as the Python ones, but the semantic submodule in scalibr is generally much more lenient in accepting technically invalid versions (dunno if we should be being more strict about this).
Differences are mostly due to how we want to handle invalid versions, which I don't think really appears in the OSV database. I'll do a pass over the AffectedVersions in the database once the worker is migrated to Go to make sure this is all consistent anyway.
I created a program & test that compiles every single unique version (from
affected[].versionsandaffected[].ranges[]) in every single OSV record, and verifies thatParseandCoarseboth error on the same strings, andCoarsemaintains monotonicity. This test doesn't run by default because a) the versions list is 22MB big and b) it takes a while to generate and run.I've also added some fuzzing tests to help catch edge cases if we want to run them for a bit. It's already helped me find a few edge cases in dpkg and packagist, which is nice. The regular tests run the fuzzers with only the explicit seed corpus. To do full fuzzing, you need to run it manually.
APK is currently not implemented due to transitivity issues in scalibr that I'm looking to fix (google/osv-scalibr#1932)